Mageia Advisory: MGASA-2016-0340 - Updated python-twisted-web packages fix a security vulnerability

Updated python-twisted-web packages fix a security vulnerability

Publication date: 12 Oct 2016
Modification date: 12 Oct 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-1000111

Description

It was discovered that python-twisted-web used the value of the Proxy header
from HTTP requests to initialize the HTTP_PROXY environment variable for CGI
scripts, which in turn was incorrectly used by certain HTTP client
implementations to configure the proxy for outgoing HTTP requests. A remote
attacker could possibly use this flaw to redirect HTTP requests performed by 
a CGI script to an attacker-controlled proxy via a malicious HTTP request.
(CVE-2016-1000111)

References

https://bugs.mageia.org/show_bug.cgi?id=19496
https://rhn.redhat.com/errata/RHSA-2016-1978.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000111

SRPMS

5/core

python-twisted-web-14.0.1-3.1.mga5

Advisories » MGASA-2016-0340

Updated python-twisted-web packages fix a security vulnerability

Description

References

SRPMS

5/core